<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@page import="java.sql.*" %>
<%@page import="com.sectooladdict.database.ConnectionPoolManager" %>
<%@page import="com.sectooladdict.validators.InputValidator" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Case 7 - Injection into a numeric value in an update page with quote validation and identical responses</title>
</head>
<body>

<%
if (request.getParameter("transactionId") == null) {
%>
	Select a Transaction to Initialize:<br><br>
	<form name="frmInput" id="frmInput" action="Case07-InjectionInUpdate-NumericWithoutQuotes-TimeDelayExploit-200Identical.jsp" method="POST">
		<SELECT name="transactionId" id="transactionId">
			<option value="895" selected="selected">895</option>
		</SELECT>
		<br>
		<input type=submit value="submit">
	</form><br>
	
<%
} 
else {
	Connection conn = null;
    try {
  	    String transactionId = request.getParameter("transactionId");

  	    if (InputValidator.validateQuotes(transactionId)) {
  	    	out.println("0");
	  		out.flush();
	    } else {
	    	conn = ConnectionPoolManager.getConnection();
     
        	System.out.print("Connection Opened Successfully\n");

        	Statement stmt = conn.createStatement();
        
			//restrict the output presented to the first user output
 	    	String SqlString = 
	 	    	"UPDATE transactions " +
 	        	"SET description='empty' " +
 	        	"WHERE transactionId=" + transactionId;
 			stmt = conn.createStatement();
        	stmt.executeUpdate(SqlString);
		
        	out.println("0");
	  		out.flush();
	  		
	  		if(conn != null) {
	        	ConnectionPoolManager.closeConnection(conn);
	        }
	  		
	    }
    } catch (Exception e) {
 		out.println("0");
 		out.flush();
 		
 		if(!(e instanceof com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException)) {
  	        System.out.println("Exception details: " + e);
        } 

		if(conn != null) {
        	ConnectionPoolManager.closeConnection(conn);
        }
    }
 	 	
} //end of if/else block
%>

</body>
</html>